NIST Finalizes SP 800-82 Revision 3 for OT Cybersecurity — June 13, 2024

Executive briefing: On 13 June 2024 the National Institute of Standards and Technology (NIST) released the final publication of Special Publication (SP) 800-82 Revision 3, updating its flagship guidance on securing operational technology (OT) and industrial control systems. The revision incorporates lessons from ransomware incidents, supply chain compromises, and zero trust adoption to help asset owners safeguard safety-critical operations.

What changed

• Expanded threat coverage. New material addresses ransomware playbooks, exploitation of remote access services, and adversary use of living-off-the-land techniques within plants.
• Zero trust integration. NIST explains how to layer zero trust principles onto OT network segments while preserving determinism for industrial protocols.
• Supply chain controls. Guidance clarifies asset inventory expectations, vendor risk due diligence, and SBOM usage for programmable logic controllers and safety systems.

Control alignment guidance

• NIST CSF 2.0 PR.AA and PR.PS. Use SP 800-82 mappings to confirm OT asset management and protective technology safeguards meet updated CSF outcomes.
• NERC CIP integration. Energy operators can cross-reference SP 800-82 Rev. 3 with CIP-005, CIP-007, and CIP-010 controls to refine remote access, patching, and configuration baselines.
• Incident response exercises. Align tabletop scenarios with the publication’s ransomware and remote access kill chains to validate containment plans.

Operational recommendations

• Re-evaluate OT network segmentation and jump host policies against the zero trust architectural considerations outlined in Chapter 6.
• Expand supplier contracts to require vulnerability disclosure processes and signed SBOMs for embedded systems.
• Update OT incident response runbooks with revised detection and recovery checklists for ransomware and wiper events.